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Abstract 

The secrecy capacity of a network, for a given collection of permissible wiretap sets, is the maximum 
rate of communication such that observing links in any permissible wiretap set reveals no information 
about the message. This paper considers secure network coding with nonuniform or restricted wiretap 
sets, for example, networks with unequal link capacities where a wiretapper can wiretap any subset of k 
links, or networks where only a subset of links can be wiretapped. Existing results show that for the case 
of uniform wiretap sets (networks with equal capacity links/packets where any k can be wiretapped), 
the secrecy capacity is given by the cut-set bound, and can be achieved by injecting k random keys at 
the source which are decoded at the sink along with the message. This is the case whether or not the 
communicating users have information about the choice of wiretap set. In contrast, we show that for 
the nonuniform case, the cut-set bound is not achievable in general when the wiretap set is unknown, 
whereas it is achievable when the wiretap set is made known. We give achievable strategies where 
random keys are canceled at intermediate non-sink nodes, or injected at intermediate non-source nodes. 
Finally, we show that determining the secrecy capacity is a NP-hard problem. 

Index Terms 

Secrecy capacity, network coding, information-theoretic security, cut-set bound, network interdic- 
tion, NP-hard. 
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I. Introduction 

Information-theoretically secure communication uses coding to ensure that an adversary that 
wiretaps a subset of network links obtains no information about the secure message. The secrecy 
capacity of a network, for a given collection of permissible wiretap sets, is defined as the 
maximum rate of communication such that any one of the permissible wiretap sets reveals 
no information about the message. In general, the choice of wiretap set is unknown to the 
communicating users, though we also discuss the case of known wiretap set where the encoding 
and decoding functions are allowed to depend on the choice of wiretap set, in which case the 
secrecy capacity is the maximum rate achievable under the worst case wiretap set. 

A theoretical basis for information-theoretic security was given in the seminal paper by Wyner 
[DO using Shannon's notion of perfect secrecy ||2|, where a coset coding scheme based on a linear 
maximum distance separable code was used to achieve security for a wiretap channel. More 
recently, information-theoretic security has been studied in networks with general topologies. 
The secure network coding problem, where a wiretapper observes an unknown set of links, was 
introduced by Cai and Yeung J3). They proposed a coding strategy, which we refer to as the 
global key strategy, in which the source injects random key symbols that are decoded at the 
sink along with the message. They showed achievability of this strategy in the nonuniform case 
where a wiretapper can observe one of an arbitrary given collection of wiretap link sets, and 
optimality of this strategy for multicast in the uniform case where each link has equal capacity 
and a wiretapper can observe up to k links. For the uniform case, various constructions of secure 
linear network codes have been proposed in e.g. flU, (5). Other related work on secure network 
communication includes weakly secure codes (6l and wireless erasure networks 0. 

In this paper, we consider secure communication over wireline networks in the nonuniform 
case. In the case of throughput optimization without security requirements, the assumption that 
all links have unit capacity is made without loss of generality, since links of larger capacity can 
be modeled as multiple unit capacity links in parallel. However, in the secure communication 
problem, such an assumption cannot be made without loss of generality. Indeed, we show in 
this paper that there are significant differences between the uniform and nonuniform cases. For 
the case of uniform wiretap sets, the multicast secrecy capacity is given by the cut set bound, 
whether or not the choice of wiretap set is known, and is achieved by the global key strategy 
J3j. In contrast, the nonuniform case is more complicated, even for a single source and sink. We 
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show that the secrecy capacity is not the same in general when the location of the wiretapped 
links is known or unknown. We give new achievable strategies where random keys are canceled 
at intermediate non-sink nodes or injected at intermediate non-source nodes, and show that these 
strategies can outperform the global key strategy. Finally, we show that determining the secrecy 
capacity is an NP-hard problem. 

II. Network Model and Problem Formulation 

In this paper we focus on acyclic graphs for simplicity; we expect that our results can be 
generalized to cyclic networks using the approach in [H, flU of working over fields of rational 
functions in an indeterminate delay variable. 

We model a wireline network by a directed acyclic graph Q = (V,£), where V is the vertex set 
and £ is the directed link set. Each link (i,j)&£ is a noise-free bit-pipe with a given capacity 
Ci t j. We denote the set of incoming links (w,v) of a node v by X(t>) and the set of outgoing 
links [v ,w) of v by 0(v). 

A source node sGV observes a random source process X s taking values from a discrete 
alphabet X s . A sink node deV wishes to reconstruct X s with probability of error going to zero 
with the coding blocklength. 

An eavesdropper can wiretap a set A of links chosen from a known collection W of possible 
wiretap sets. Without loss of generality we can restrict our attention to maximal wiretap sets, 
i.e. no set in W is a subset of another. The choice of wiretap set A is unknown to the 
communicating nodes, except where otherwise specified in this paper. In the case of known 
wiretap set, the wiretapper can choose an arbitrary wiretap set A in W which is then revealed 
to the communicating nodes. 

A block code of blocklength n is defined by a mapping 

from Xg to the vector transmitted on each outgoing link e of the source s, a mapping 

/<»>: J] {l,...,T«}^{l,...,T*},eeO(v) 

dex(v) 

from the vectors received by a non-source node v to the vectors transmitted on each outgoing 
link e of v, and a mapping 

g «>: n {i,..,2" c n^*; 

del{d) 
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from the vectors received by the sink d to the decoded output. Node mappings are applied in 
topological order; each node receives input vectors from all its incoming links before applying 
the mappings corresponding to its outgoing links. 

The secrecy capacity is defined as the highest possible source-sink communication rate for 
which there exists a sequence of block codes such that the probability of decoding error at 
the sink goes to zero and, for any choice of AeW, the message communicated is information 
theoretically secret, i.e. has zero mutual information with the wiretapper's observations. 

In Section [III] we give a cut set bound and achievable strategies for this general problem. In 
Sections [IV] and |Vj we show that the cut set bound is unachievable and that finding the secrecy 
capacity is NP hard, even for the following special cases: 

1) Scenario 1 is a wireline network with equal link capacities, where the wiretapper can 
wiretap an unknown subset of k links from a known collection of vulnerable network 
links. 

2) Scenario 2 is a wireline network with unequal link capacities, where the wiretapper can 
wiretap an unknown subset of k links from the entire network. 

It is convenient to show these results for Scenario 1 first, and then show the corresponding results 
for Scenario 2, by converting the Scenario 1 networks considered into corresponding Scenario 
2 networks for which the same result holds. 

Although, for the sake of simplicity, we focus on single-source single-sink networks, the cut- 
set bound and strategy 2 in Section III can be easily extended to multicast networks, whereas 
the results discussed in Sections IV and V directly apply to both multicast and non-multicast 
cases since the single-source single-sink case represents a special case for both. 

III. Cut-Set Bound and Achievable Strategies 

In this section, we consider the general wireline problem with unequal link capacities where 
the eavesdropper can wiretap an unknown set A of links chosen from a known collection 
W of possible wiretap sets. We state a cut-set upper bound on capacity, and give two new 
achievable strategies and examples in which they outperform the existing global key strategy. 
Using the combined intuition from these examples, we show in Section [IV] that the cut-set bound 
is unachievable in general. One of the achievable strategies is used in Section |V] to show that 
finding the secrecy capacity in general is NP-hard. 
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A. Cut-Set Bound 

Let S c denote the set complement of a set S. A cut for x,y<EV is a partition of V into two 
sets V x and V x such that xeV x and y£V x . For the x — y cut given by V x , the cut-set [V X ,V^] is 
the set of links going from V x to V x , i.e., 

[V x ,V c x ] = {(u,v)\(u,v)e£,ueV x ,veV c x }. (1) 

Theorem 1: Consider a network of point-to-point links, where link (ij) has capacity Qj. The 
secrecy capacity is upper bounded by 

min min > q , . (2) 

{V S :V S is an s-d cut}.4eW 

(*j)e[V. 1 Vf]ru« ! 

This bound applies whether or not the communicating nodes have knowledge of the chosen 
wiretap set A. 

Proof: Consider any source-sink cut V s and any wiretap set AeW. Denote by X the 
transmitted signals from nodes in V s over links in [V s ,V!r] and denote by Y and Z the observed 
signals from links in [ V s , V; ] and in [V s , ] D A respectively. We consider block coding with block 
length n and secret message rate R s . By the perfect secrecy requirement H(M\Z n ) = H(M) we 
have 

nR s <H(M\Z n ) 

(a) 

<H(M\Z n )-H(M\Y n )+ne n 

=H{M\Z n )-H{M\Y n ,Z n )+ne n 

=I(M;Y n \Z n )+ne n 

(b) (3) 
</(X n ;Y ri |Z n )+ne n 

=H(X n \Z n )-H(X n \Y n ,Z n )+ne n 

<H(X n \Z n )+ne n 

<n ^ c itj + ne n , 
(<j)e[V„Vf]ru«= 

where e n — >0 as n— >+oo and 

(a) is due to Fano's inequality; 

(b) is due to the data processing inequality and the fact that M— >X. n — >Y n — >Z n forms 
a Markov chain; 
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If the choice of wiretap set A is known to the communicating nodes, the cut-set bound in 
this case is also (O, which is achievable using a network code that does not send any flow on 
links in A. In contrast, we show in Section [IV] that the cut-set bound is not achievable in general 
when the wiretap set A is unknown. 

B. Achievable Strategies for Unknown Wiretap Set 

In the case of unit link capacities, the secrecy capacity can be achieved using global keys 
generated at the source and decoded at the sink [3]. The source transmits R s secret information 
symbols and R w random key symbols, where R s + R w is equal to the min-cut of the network. This 
scheme does not achieve capacity in general networks with unequal link capacities. Intuitively, 
this is because the total rate of random keys is limited by the min cut from the source to the 
sink, whereas more random keys may be required to fully utilize large capacity cuts with large 
capacity links. 

Capacity can be improved by using a combination of local and global random keys. A local key 
is injected at a non-source node and/or canceled at a non-sink node. However, it is complicated 
to optimize over all possible combinations of nodes at which keys are injected and canceled. 
Thus, we propose the following more tractable constructions, which we will use to develop 
further results in subsequent sections. 

Strategy 1: Random Keys Injected by Source and Possibly Canceled at Intermediate Nodes 
Our first construction achieves secrecy with random keys injected only at the source. The 
source carries out pre-coding so that random keys are canceled at intermediate nodes and the 
sink receives the intended message without interference from the random keys. As such, it applies 
in the single-source, single-sink case, and is useful in networks where the incoming capacity of 
the sink is too small to accommodate the message plus all the keys needed in the network. An 
example is given in Fig. Q3 where each link has unit capacity, the number of wiretapped links 
is k = 2, and only the first layer of the three layer network is allowed to be wiretapped. The 
secret message rate R s = 3 is achievable by using the strategy in Fig. [Q where the operation is 
on a finite field GF(5). In Fig. \T\ a,b,c are secret messages and f,g are keys. The message 
on the i-th link in the first layer is denoted as Xi, i — 1,2, 3, 4, 5. The key / is canceled at the 
second layer and the key cancelation scheme is labeled on the last layer links. It is easy to 
see that H( 2, Vij^j which means perfect secrecy is achieved. At the same time, 



October 27, 2011 



DRAFT 



7 




Fig. 1. An example of Strategy 1, where any two of the five links in the first layer can be wiretapped. Capacity 3 is achieved 
by canceling at the second layer one of the two random keys injected by the source. The operation is on a finite field GF(5). 

the sink d can decode a,b,c and the key g. When key cancelation is not applied, let R s and 
R w be the secrecy rate and the random key rate at the source, respectively. Let z be the total 
rate of transmission on the first layer. To achieve secrecy, we must have R w >^z, where the 
cut-set condition on the first layer requires R s + R w <z. Since the sink needs to decode both 
message and random key symbols from the source, the cut-set condition on the last layer requires 
R s + R W < 4. Combining these we obtain R s <max z min(4 — ~z, |z) = y, which is strictly less 
than 3. 

To formally develop the Strategy 1 construction, we will use the following result: 
Claim 1 ( / TiOl Corollary 19.21]): Given an acyclic network, there exists, for a sufficiently 
large finite field, a linear network code in which the dimension of the received subspace at each 
non-source node t is min(o;,maxflow(t)), where lu is the dimension of the message subspace. 

Let R s denote the secret message rate and z it j the transmission rate on each network link 
(i,j)&£, whose values we will discuss how to choose below. Consider the graph Q with the 
capacity of each link (i,j)e£ set as z^j<c^j. As illustrated in Fig. [2l augment the graph as 
follows: 

• Connect each subset of links Ae W to a virtual node t A : more precisely, for each directed 
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Fig. 2. Illustration of Strategy 1, an achievable construction where random keys are injected by the source and possibly canceled 
at intermediate nodes. In this figure, k = 2 and only the 5 links in the first layer can be wiretapped. 



link (i,j)E£ in the network, create a node v^j and replace by two links (i,Vij) and 
(vij,j) of capacity z^j, and for each (i,j)^A create a link (vij,t A ) of capacity Vij. Let 
R s ^a be the max flow/min cut capacity between s and t A . 

• Add a virtual sink node d' and join the actual sink d to d' by a link (d,d') of capacity of 
R s . 

• Connect both t A and the virtual sink d! to a virtual sink d A by adding a link (t A ,d A ) of 
capacity R s ^a an d a link (d',d A ) of capacity _R S , respectively. 

The source sends a secret message v= [t>i, . . . ,vn a ] T along with R w random key symbols 
w=[wi,. . . ,w iiJ T E The values of R s , R w , and z it j are chosen such that each virtual sink d A can 
decode R s + R s ^,_4. linear combinations of message and random key symbols, and the sink d can 
decode the R s message symbols. Specifically, if for each A the rate Rs + R^a equals the min- 
cut capacity between the source and the virtual sink d A and R s ^a<Rw, by using Claim [H there 
exists a network code such that each d A receives R s + R s ^a linearly independent combinations 

'We assume that R s and R s ^a are integers, which can be approximated arbitrarily closely by scaling the capacity of all 
links by the same factor. 
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of v and w when the finite field size is sufficiently large (q> ('f )). Let the signals received at a 



particular virtual sink d B be denoted as M B [v T , w T ] T , where M s is an (R S + R S ^ B ) x (R s + R w ) 
received coding matrix with full row rank. We can add R w — R s ^jg rows to Ms to get a full 
rank (R s + R w ) x (R s + R w ) square matrix Mg. We then precode the secret message and keys 
using Mg 1 , i.e., the source transmits Mg 1 [v T ,w T ] r , so that link (d',d B ) carries v. 

Claim 2: Strategy 1 allows the sink to decode the message v and achieves perfect secrecy. 
Proof: Since (d,d') is the only incoming link of (d',d B ), and both links have capacity R s 
which is equal to the rate of the message v, link (d,d') carries exactly v. This implies that sink 
d receives v. Furthermore, for any virtual sink d A , the received coding matrix with precoding 
is M^Mg 1 , which is a full row rank matrix. As M^Mg 1 is a full row rank matrix, the coding 
vectors of the received signals from the set A of wiretapping links span a rank R s ^a subspace 
that is linearly independent of the set of coding vectors corresponding to message v received 
on (d',d A ). Therefore, the signals received on A are independent of the message v, and perfect 
secrecy is achieved. ■ 

Note that applying Mg 1 causes the random keys injected by the source to be either canceled 
at intermediate nodes or decoded by the sink. 

It remains to optimize over values of R s , R w and z i: j such that for each A the rate R s + R s ^a 
equals the min-cut capacity between s and d A and R s ^a<Rw- Since computing R s ^a (the 
min-cut capacity between s and t A ) for arbitrary z i: j involves a separate max flow computation, 
to simplify the optimization, we can constrain R s ^_a to be equal to some upper bound C/4 on 
Rs^>a> an d thereby obtain an achievable secrecy rate using Strategy 1. For instance, we can take 
C/4 to be j)eA z hj> or alternatively take C/4 to be the min-cut capacity between s and t A on 
the graph with the original link capacities qj. We can write a linear program (LP) for this key 
cancelation strategy as follows: 

max i?, 




R S -U A , if i = d A , 
0, otherwise, 



if i — s 



(4) 



View, 



where 
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on conservation of flow ffy ensure that the min cut between the source and d A is at least R s + U^. 
Since the only incoming links of d A are (t A ,d A ) of capacity and (d',d A ) of capacity R s , 

this implies that R s ^a equals the upper bound C/4. Thus, the optimal value of © gives an 
achievable secrecy rate. 

Strategy 2: Random Keys Injected by Source and/or Intermediate Nodes and Decoded at Sink 
In strategy 2, any node in the network can inject random keys. The sink is required to decode 
both the secret message and the random keys from all nodes, i.e. keys are not canceled within the 
network, while the random key rates must be sufficient to "fill" each wiretap set (in a sense that 
is made precise below). Although for simplicity of notation the algorithm description below is 
for the single-source, single-sink case, this strategy applies directly to multiple-source multicast 
case. If random keys are injected only at the source, the strategy reduces to the global key 
strategy in J3). Note that under the assumption that only the source knows the message and 
different nodes do not have common randomness, here we cannot apply the key cancelation 
and precoding idea from Strategy 1, since after applying the precoding matrix each node may 
potentially be required to transmit a mixture of the source message and other nodes' random 
keys. 

Let R W)V be the random key injection rate at node v. As before, R s denotes the secret message 
rate at the source and Zij the transmission rate on link We will address the choice of these 
rates below. Consider the graph Q with the capacity of each link (i,j)E£ set as Zij. Connect 
each subset of links ylG>V to a virtual node d A : more precisely, for each directed link (i,j)E£ 
in the network, create a node and replace by two links (i,Vij) and (vij,j) of capacity 
Zij, and for each (i,j)&A create a link (vij,d A ) of capacity Vij. Intuitively, we want the max 
flow/min cut capacity from the message and random key sources to d A to be equal to that in the 
absence of the message. Similarly to strategy 1, we simplify the optimization by constraining 
this max flow/min cut capacity to be equal to an upper bound, Ylu j)eA Zi >r Specifically, we have 
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the following LP: 

max R s 

' r> otherwise, 

ifi=d, ( 5 ) 

-^6 ~ = 1 ^ + ^*m> if i=s, 

<„..,. otherwise, 

fi,j — Z i,ji fi,j — Z i,ji z i,j^ c i,ji^{hj) > 

where the first set of equations corresponds to the requirement that the network accommodates 
a flow J- 4 of size Y(ij)eA Zi >3 f rom tne random key sources to d A , the second set of equations 
corresponds to the requirement that the network accommodates a flow f d , of size equal to the 
sum of the message and random key rates, from the message and random key sources to the 
sink d, and the third set of inequalities corresponds to the link capacity constraints. 

Claim 3: Strategy 2 allows the sink to decode the message v, and achieves perfect secrecy. 
Proof: As illustrated in the example of Fig. [3j consider an augmented network with 

• a virtual source node u s connected to the source node s by a directed link (u s ,s) of capacity 
R s , and connected to each virtual sink d A by a directed link (u s ,d A ) of capacity R s , and 

• a virtual node Uk connected to each node v by a directed link (v,Uk) of capacity R WjV , 
and connected to each virtual sink d A by a directed link (u k) d A ) of capacity ^2 v Rw, v — 

The source information enters the network at the virtual source node u s and is transmitted 
to each virtual sink d A . Consider a multi-source multicast problem on this network, where the 
actual sink node and the virtual sinks d A each demand the source message and all the random 
keys. By the first constraint of the LP, the max flow from the random key sources to d A in 
the original network equals Y(i j)eA z ij> t°g etrier with the additional capacity in the augmented 
network (Yv^w,v — Y(ij)eA Zi j f rom tne random key sources and R s from u s ), the max flow 
from the message and random key sources to each virtual sink d A is sufficient to ensure that the 
multicast problem is feasible ifTTll . A capacity-achieving code for this multicast problem in the 
transformed graph corresponds to a code for the original secrecy problem, since the information 
received by each virtual sink d A from the set A of original network links must be independent 
of information received from the additional links, which includes the entire source message. ■ 
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Fig. 3. An example of the augmented network construction for the proof of correctness of strategy 2, where s,a,b,d are nodes 
of the original graph, and only one of the two links (s,a) and (s,b) can be wiretapped. 




Fig. 4. Example of the usefulness of Strategy 2. 
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An example where this strategy is useful is given in Fig.H which is obtained by interchanging 
the source and the sink as well as reversing all the links in Fig. [2l At most three links in the last 
layer can be wiretapped. By injecting one local key at node ji and two global keys at the source, 
Strategy 2 can achieve secrecy rate 2. On the other hand, if random keys are only injected at 
the source, the secrecy rate is at most |. Let R s and R w be the secrecy rate and the random 
key rate at the source, respectively. Let z be the total rate of transmission on the last layer. To 
achieve secrecy, we must have R w > |z, where the min-cut condition on the last layer requires 
R s + R w <z. Since the source injects all the random keys, the min-cut condition on the first layer 
requires R S + R W <A. Combining these we obtain i? s <|, which is strictly less than 2. 

From the examples, we see that the types of scenarios in which Strategy 1 and Strategy 
2 are useful seem to be complementary. In general, these two strategies can be combined to 
obtain a higher secrecy rate. We use these strategies conceptually in the following sections to 
develop theoretical results. However, for numerical computation of achievable rates in scenarios 
1 and 2, we note that the number of possible wiretapping sets, and thus the size of the LPs, are 
exponential in the size k of each wiretap set, so they are useful for small k. 

IV. Unachievability of Cut Set Bound 

In the case of unrestricted wiretapping sets and unit link capacities, the secrecy capacity is 
equal to the cut-set bound J3]|. In this section we show that the cut-set bound © is not achievable 
in general, by considering the example in Fig. [51 where the set of wiretappable links is restricted 
(Scenario 1). We give an explicit proof that the cut set bound is not achievable for the case 
when the wiretap set is unknown. We also use the program Information Theoretic Inequalities 
Prover (Xitip) |fT2| to show that the secrecy capacity is bounded away from the cut set bound. 
We then convert the example into one with unequal link capacities (Scenario 2), and show the 
unachievability of the cut set bound for this case also. 

A. Restricted Wiretap Set (Scenario 1) 

Consider the example in Fig. [51 where all links have unit capacity and any three of the five 
middle layer links can be wiretapped. Let the middle layer links be 1-5 (from top to bottom) and 
the last layer links be 6-8 (from top to bottom). Let the signal carried by link i be called signal 
i, or Let the source information be denoted X. The cut-set bound, or the secrecy capacity 
with known wiretap set, is 2. 
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5 



Fig. 5. An example to show that the secrecy rate without knowledge of wiretapping set is smaller than that with such knowledge. 
The wiretapper can wiretap any three of the five links in the middle layer. 

To provide intuition for the case when the wiretap set is unknown, we first show that secrecy 
rate 2 cannot be achieved by using scalar linear coding. Then, the argument is converted to an 
information theoretic proof that secrecy rate 2 cannot be achieved by using any possible coding 
scheme. 

Suppose secrecy rate 2 is achievable with a scalar linear network code. First note that the 
source cannot inject more than unit amount of random key, otherwise the first layer cannot carry 
two units of source data. Let the random key injected by the source be denoted K. For the case 
when the source injects a unit amount of random key, we first have the following observations. 
Signal 6 must be a function of signal 1, otherwise if the adversary sees the signals 2-4 then he 
knows signals 6-7. Also, signal 8 must be a function of signal 5, otherwise if the adversary sees 
signals 1, 2 and 4, then he knows signals 7-8. Similarly we can show that signal 8 must be a 
function of signal 1, and signal 7 must be a function of signal 2. We consider the following two 
cases. 

Case 1: signal 5 is a linear combination of signals present at the source node. To achieve 
the full key rank condition on links 1, 2 and 5, node a must put two independent local keys k\ 
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and k 2 on links 1 and 2 respectively. Link 7, whose other input is independent of k 2 , is then 
a function of k 2 . Similarly, Link 8 is a function of k\. This means that the last layer has two 
independent local keys on it. 

Case 2: signal 5 is a linear combination of signals present at the source node as well as a 
local key k injected by node c. 

Case 2a: k is also present in signal 1. Then k is present in signal 6, and is independent of 
the key present in signal 7. 

Case 2b: k is not present in signal 1. Then k is present in signal 8, and is independent of the 
key present in signal 7. 

In all three cases 1, 2a, and 2b, there is a pair of last layer links which are functions of 
two independent random keys, leaving capacity for only one unit of secret message. Thus, we 
conclude that the secrecy rate without knowledge of the wiretapping set by using only linear 
network coding is less than two. 

We now extend the above argument to any coding scheme which leads to the following 
theorem. 

Theorem 2: For the wireline network in Fig. [5] a secrecy rate of 2 is not achievable with any 
possible coding scheme, if any three out of the five links (1-5) in the middle layer are wiretapped 
and the location of those links is unknown. 

Proof: See Appendix. ■ 

We can also show that the secrecy rate is bounded away from 2 by using the framework 
for linear information inequalities [13J. Let X be the message sent from the source and Zi, 
2 = 1,2,3 be the signals on the links adjacent to the source. We want to check whether H(X)<tu 
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is implied by 



(1) 


H(Z i )<l,H(S j )<l, 2 = 1,2,3, j = l,... ,8, 




(2) 


H(X\S e ,S 7 ,S 8 ) = 0, 




(3) 


I(X,Zi,Z2,Zs,S4 z ,S5,S7,Ss',Sq\Si,S2,S3) = 0, 




(4) 


I(X,Zi,Z 2 ,Z 3 ,Si,S 3 ,S5,Sq,S$; S^S^) = 0, 




(5) 


/(X, Zi, Z 2 , Z 3 ,S2, S 3 , Sq, Sf, S% \Si, S*4, S5) = 0, 




(6) 


I(X;Sx,S 2 ,S 3 )=0,I(X;Si,S2,Si)=0, 




(7) 


I(X;Si,S 2 ,S 5 ) = 0, I(X; Si,S 3 ,S i ) = 0, 




(8) 


I(X;Sx,S 3 ,S5)=0, I(X; Si,S4,S^) = 0, 




(9) 


I(X;S 2 ,S 3 ,S,) = 0,I(X;S 2 ,S 3 ,S 5 ) = 0, 




(10) 


I(X;S 2 ,S 4 ,S 5 ) = 0,I(X;S 3 ,S 4 ,S 5 ) = 0, 




(11) 


I(S 1 ;Z 2 \Z 1 ,Z 3 )=0,I(S 2 ;Z2,Z 3 \Z 1 )=0, 




(12) 


I(S 3 ;Z 3 \Z 1 ,Z 2 ) = 0,I(S 4 ;Z 1 ,Z 3 \Z 2 ) = 0, 




(13) 


I(S 5 ;Z u Z 2 \Z 3 ) = 0,I(S 1 ;S 4 \Z u Z 2 ,Z 3 ) = 0, 




(14) 


I(S 2 ;S4 : ,S5\Zi,Z 2 ,Z 3 )=0, 1 (S3; Ss\Zi, Z 2 , Z 3 ) = 


0, 


(15) 


I(S4;Si,S2,S^\Zi,Z2,Z 3 ) = 0, 1(Ss;S 2 ,S 3 ,S4\Zi 


7^2,^3) 


(16) 


I(Si,S2,S 3 ,S4,S^;X\Zi,Z 2 ,Z 3 ) = 0, 





(6) 



where the first inequality is the capacity constraint, the second constraint shows that the sink 
can decode X, constraints (3) to (5) mean that the signals in the last layer are independent of 
other signals given the incoming signals from the middle layer, constraints (6) to (10) represent 
the secrecy constraints when any three links in the middle layer are wiretapped, and constraints 
(11) to (16) represent the conditional independence between the signals in the first layer and 
those in the middle layer. In particular, (16) shows that X^-(Zi,Z 2 ,Z 3 )—}(S 1 ,...,S 5 ) forms a 
Markov chain. Note that constraints (3) to (5) and (11) to (16) implicitly allow some randomness 
to be injected at the corresponding nodes. We use the Xitip program [12j, which relies on the 
framework in lfT3l . to show that H(X)<5/3 is implied by the set of equalities ©. Therefore, 
5/3 is an upper bound on the secrecy rate when the location of wiretapper is unknown, which 
is less than the secrecy rate 2 achievable when such information is known. Therefore, there is 
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Si=Zi+Z3+u=5w+4x+6y+u 



S 




Fig. 6. A coding scheme achieving secrecy rate 1 without knowledge of the wiretap set for the network in Fig. [5] where any 
three of the five middle layer links can be wiretapped, w is the secret message, x and y are keys injected at the source, and u 
is a key injected at node a and canceled at node e. The operations are over a finite field GF(7). 

a strict gap between the secrecy capacity and the cut set bound. 

On the other hand, the secrecy rate for the wireline network in Fig. [5] is at least 1 which 
is shown by the example in Fig. [6l where a finite field GF(7) is used. In this example, a 
combination of strategies 1 and 2 is used, where keys are injected inside the network and are 
also canceled at intermediate nodes. 

B. Unequal Link Capacities (Scenario 2) 

We have restricted the wiretapped links to be in the middle layer in Fig. [5] We next show 
that the unachievability of the cut- set bound also holds for the secure network coding problem 
with unequal link capacities (Scenario 2). We convert the example of Fig. [5] by partitioning each 
non-middle layer link into - parallel small links each of which has capacity e. Any three links 
can be wiretapped in the transformed graph. We prove the unachievability of the cut-set bound 
in the transformed network. 

First, we show a lower bound on the min-cut between the source and the sink in the transformed 
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network when three links are deleted. Note that deleting any k! (k'<3) non-middle layer links 
reduces the min-cut by at most k'e. When k' = 0, the min-cut is 2. When k' = l or at most two 
middle layer links are deleted, the min-cut is at least 2 after deleting these middle layer links, and 
the min-cut is at least 2 — k'e > 2 — e after further deleting the k' = 1 non-middle layer link. When 
k' = 2 or at most one middle layer link is deleted, the min-cut between the source and the sink 
is 3 after deleting this middle layer link, and the min-cut is at least 3 — k'e>3 — 3e after further 
deleting the k' non-middle layer links. Therefore, the cut-set bound is at least min(2 — e,3 — 3e). 

For the case where the location of the wiretap links is unknown, we prove the unachievability 
of the cut- set bound in the transformed network. First, consider the transformed network with 
the restriction that the wiretapper can only wiretap any 3 links in the middle layer. The optimal 
solution is exactly the same as for the original network of the previous subsection, and achieves 
secrecy rate at most 5/3. Now, consider the transformed network without the restriction on 
wiretapping set, i.e., the wiretapper can wiretap any 3 links in the entire network. As wiretapping 
only the middle layer links is a subset of all possible strategies that the wiretapper can have, the 
secrecy rate in the transformed network is less than or equal to that in the former case, which is 
strictly smaller than the cut-set bound for e strictly smaller than |. Therefore, the cut-set bound 
is still unachievable when the wiretap links are unrestricted in the transformed graph. 

V. NP-HARDNESS 

We show in the following that determining the secrecy capacity is NP-hard by reduction from 



the clique problem, which determines whether a graph contains a clique ^| of at least a given size 
r. 

When the choice of the wiretap set is made known to the communicating nodes, the secrecy 
capacity is given by the cut-set bound, from Theorem [H and is achieved by not transmitting on 
the wiretapped links. Finding the cut-set bound involves determining the worst case wiretap set. 
This is equivalent to the network interdiction problem |fl4ll . which is to minimize the maximum 
flow of the network when a given number of links in the network are removed. It is shown 
in ffT4l that the network interdiction problem is NP-hard. Therefore, determining the secrecy 
capacity for the case where the location of the wiretap links is known is NP-hard. 

2 A clique in a graph is a set of size r of pairwise adjacent vertices, or in other words, an induced subgraph which is a 
complete graph. 
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link capacities = 2 



I link capacities = 1 



link capacities = 1 




d 



(a) Original Graph T-L 



(b) Transformed Graph Q 



Fig. 7. Example of NP-hardness proof for the case with knowledge of the wiretapping set. 

To show that determining the secrecy capacity for the case where the location of the wiretap 
links is unknown is NP-hard, we use the construction in [[T4|| showing that for any clique problem 
on a given graph %, there exists a corresponding network Q n whose secrecy capacity is r when 
the location of the wiretap links is known if and only if H contains a clique of size r. We then 
show that for all such networks Q n , the secrecy capacity for the case when the location of the 
wiretap links is unknown is equal to that for the case when this information is known, which 
shows that there is a one-to-one correspondence between the clique problem and the secrecy 
capacity problem. 

We briefly describe the approach in [fl4l in the following. Given an undirected graph H = 
(Vh,£h), we will define a capacitated directed network Q n such that there exists a set of links A! 
in Q H containing less than or equal to \Sh\ — (0 links such that Q u — A! has a maximum flow of 
r if and only if H contains a clique of size r. For a given undirected graph H = (Vh,£h) without 
parallel links and self loops, we create a capacitated, directed graph Q n = (M,A) as follows: For 
each link ee£h create a node i e in a node set A/i and for each vertex v £ Vh create a node j v in a 
node set A/2. In addition, create source node s and destination node d. For each link eG£/i, direct 
a link in Q H from s to i e with capacity 2 and call this set of links Ai. For each link e= (u,v ) <E£h, 
direct two links in Q n from i e to j v and j u with capacity 1, respectively and call this set of 
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links A 2 . For each vertex vEVh, direct a link with capacity 1 from j v to d. Let this be the set of 
links A 3 . This completes the construction of g n = (Af,A) = ({s}U{d}UAfiUAf 2 ,A 1 UA 2 UA 3 ). 
In Fig. [71 we give an example of the graph transformation, where H = ({1,2,3,4}, {a,b,c,x,y}). 
We use the following result from 031: 

Lemma 1 ( / [7?1 Lemma 2]): Let Q n be constructed from % as above. Then, there exists a 
set of links A' x QAi with \A[\ = \Eh\ — ( r 2 ) such that the maximum flow from s to d in Q n — A[ 
is r if and only if H contains a clique of size r. ■ 

After obtaining Q n , we generate Q n by replacing each link (i e ,j v ) with \£ h \ parallel links each 
with capacity l/\£h\ and call this link set A 2 . We carry out the same procedure for links (j v ,d) 
and call this link set A 3 . Then Q n = (Af,A) = ({s}U{d}UAf 1 UAf 2 ,A 1 UA 2 UA 3 ). For the case 
when the location of wiretap links is known, it is shown in [14J that the worst case wiretapping 
set A' must be a subset of A±. By using Lemma [B this case is NP-hard. 

Now, we consider the secrecy capacity when k = \£ h \ — Q and the wiretapping set is unknown. 
From Lemma [Q the condition that "H contains a clique of size r is equivalent to the condition 
that the max-flow to the sink in Q H after removing any k links from A\ is at least r. We now 
show that the latter condition is equivalent to the condition that the secrecy capacity of Q n 
when the wiretapper accesses any unknown subset of k links from Ai (Scenario 1) is at least r. 
For each subset A' of k links from Ai, we create nodes t A ' 1 and d Al with their corresponding 
incident links as described in Strategy 1. As the wiretapped links each have capacity 2 and are 
connected to the source directly, the min-cut between the source and each virtual sink d" 4 ' 1 is at 
least 2k + r. Then, by using Strategy 1 the secrecy rate r is achievable. 

Finally, we show that the same condition is also equivalent to the condition that the secrecy 
capacity of Q n when any k links are wiretapped (Scenario 2) is at least r. Since each second 
layer link has a single first layer link as its only input, wiretapping a second layer link yields 
no more information to the wiretapper than wiretapping a first layer link. When some links 
in the third layer are wiretapped, let the wiretapping set be A' = A[UA' 3 where |*A 3 |>1 and 
IvA'J^/c — 1. Thus A\— A[ contains at least (O+l links. We create nodes t A ' and d A> with their 
corresponding incident links as described in Strategy 1. Since removing links in A\ corresponds 
to removing links in "H, after removing links in "H corresponding to A[, H contains a subgraph 
Hi containing Q links plus at least one link e = (u,v). 

Case 1: "Hi is a clique of size r. In this case, the number of vertices with degree greater than 
in HiUe is r + 2. 
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Case 2: Hi is not a clique. Hi contains at least r+1 vertices with degree greater than 0. 

According to lfT4l Lemma 1], the max-flow in Q n is equal to the number of vertices in H 
with degree greater than 0. In both cases, the max-flow of Q n after removing links in A[ is at 
least r + 1. Let R s -+a> be the max-flow capacity from the source to A 3 in Q n — A[. 

We can use a variant of the Ford-Fulkerson (augmenting paths) algorithm, e.g., lfT5l . as follows 
to construct a max-flow subgraph V from s to A 3 in Q n — A[ satisfying the property that after 
removing V from Q n — A[, the min-cut between s and d is at least 

\A\/\£ h \ 

(\S h \-l)/\£ h \ 

(7) 

where we have used \A 3 \ < \£h\ — 1- Considering the network Q n — A[ with all link directions 
reversed, we construct augmenting paths via depth first search from d to s, starting first by 
constructing augmenting paths via links in A' 3 , until we obtain a set of paths corresponding 
to a max flow of capacity R s _^j^ between s and A 3 . We add further augmenting paths until 
we obtain a max flow (of capacity at least r + 1) between s and d, which may cause some of 
the paths traversing links in A 3 to be redefined but without changing their total capacity. The 
subgraph V consists of the final set of paths traversing links in A 3 . Thus, the paths remaining 
after removing V have a total capacity lower bounded by C7]). 

Therefore, the min-cut between the source and d A ' in Q u — A' x — V is at least r, and the 
min-cut between the source and d A ' in Q H is at least r + R s ^^+ R s ^^=r + R s ^,. By using 
Strategy 1, a secure rate of r is achievable when A' is wiretapped. Thus, the secrecy rate for the 
case when the location of the wiretap links is unknown is equal to that for the case when such 
information is known with an unrestricted wiretapping set. We have thus proved the following 
theorem. 

Theorem 3: For a single-source single-sink network consisting of point-to-point links and an 
unknown wiretapping set, computing the secrecy capacity is NP-hard. 

VI. Conclusion 

In this paper, we addressed the secrecy capacity of wireline networks where different links 
have different capacities. In particular, it was shown that the secrecy capacity is not the same in 
general when the location of the wiretapped links is known or unknown; in the former case the 



r + l-R.-*^ > r + 1- 

> r + 1- 

> r, 
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capacity is given by a cut-set bound, which is unachievable in general in the latter case. Further, 
we proposed achievable strategies where random keys are canceled at intermediate non-sink 
nodes, or injected at intermediate non-source nodes. Finally, we showed that determining the 
secrecy capacity is an NP-hard problem. 

Appendix: Proof of Theorem 2 

We prove Theorem 2 by contradiction. Suppose that a secrecy rate of 2 is achievable for the 
network in Fig. |5J As before, let X and K denote respectively the secret message and random 
key injected by the source node, and Si the signal on link i. Then each triple of links in the 
middle layer has zero mutual information with the source data, and each pair of links in the 
middle layer has joint conditional entropy 2 given the other three links. 

Since the message X is decodable from information on the last layer, we have I(S e ,S 7 ,S 8 ;X) = 
2. Since I(Si,S 2 ,Ss;X) = 0, by the data processing inequality I(Sq;X) = 0, therefore, I(S 7 ,S 8 ;X\S e ) = 
2 and H(S 7 \S 6 ) = I(S 7 ;X\S 6 ) = 1. Then, H(S 7 \X,S 6 ) = H(S 7 \S 6 ) -I(S 7 ;X\S 6 ) = 0. This implies 
that S 7 does not depend on random keys injected by nodeS / or head(4) which would be indepen- 
dent of X,S 6 . Similarly, I(S 8 ;X) = 0, implying H(S 7 \S 8 ) = I(S 7 ;X\S 8 ) = 1 and H(S 7 \X,S 8 ) = 0. 
Thus, S 7 does not depend on random keys injected by node head(2) which would be independent 
of X and S G . In a similar manner, we can show that Sq and S 8 also do not depend on 
any random keys injected after the middle layer. Also, since H(S 7 ,S 8 \S e )> I(S 7 ,S 8 ;X\Sq) = 
2 and H(S 6 )>H(S 6 \S 8 ) = 1, therefore H(S 6 ,S 7 ,S S ) = 3. Let S A denote the adversary's ob- 
servations. By the secrecy requirement, H(Sq,S 7 ,S 8 \Sa) = % which implies I(Ss,S 7 ,S 8 ;Sa) = 
H(Se, S 7 , S 8 ) — H(Sq, S 7 , S 8 \ Sa) = 1 • 

Then, the mutual information I(Sq;S 2 ,S 3 ) = 0, otherwise, if the adversary sees signals 2-4 his 
mutual information with signals 6-7 is greater than 1. The mutual information I(S 8 ;S\,Sa) = 0, 
otherwise if the adversary sees signals 1,2, 4 his mutual information with signals 7-8 is greater 
than 1. The mutual information I(S 8 ;S i ,S 5 ) = 0, otherwise if the adversary sees signals 2, 4, 5 his 
mutual information with signals 7-8 is greater than 1. The mutual information I(S 7 ;S 4: ,S 5 ) = 0, 
otherwise if the adversary sees signals 1, 4, 5, his mutual information with signals 7-8 is greater 
than 1. 

Case 1: signal 5 is a function of only signals present at the source node, i.e., H(Ss\X,K) = 0. 
By the zero mutual information condition for links 1, 2 and 5, H(Si,S2,Ss\X) = 3, so 

H(S 1 ,S 2 ,S 5 \X,K)=H(S 1 ,S 2 \X,K,S 5 )=2. (8) 
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Since S 4 is conditionally independent of Si, S 2 given X and K, we have H(Si,S 2 \X,K,S 4 ,S 5 ) = 
2, I(Si,S 2 ;X,K,S 4 ,S 5 ) = and I(S 1 ,S 2 ;X,K\S 4 ,S 5 ) = 0. Now 

I(S 1 ,S 2 ,S 7 ,S 8 ;X,K\S 4 ,S 5 )=I(S 7 ,S 8 ;X,K\S 4 ,S 5 )+I(Si,S 2 ;X,K\S 7 ,S 8 ,S 4 ,S 5 ) 

(9) 

Since SV,^ is conditionally independent of X,K given Si : S 2: S 4 ,S 5 , we have 

J( 1 S 7 ,5 8 ;X,K|5 1 ,5 2 ,5 4 ,5 5 ) = 0. (10) 
Then by the non-negativity of conditional mutual information, 

I(S 7 ,S 8 ;X,K\S 4 ,S 5 )<I(S u S 2 ;X,K\S 4 ,S 5 ) = 0. (11) 

Next, note that Si and S 2 are conditionally independent given S 4 and S5, since H(Si\S 4 ,S 5 ) = 
H(S 2 \Si,S 4 ,S 5 ) = l. Therefore S 7 and S 8 are conditionally independent given S 4 and S 5 , i.e. 

I(S 7 ;S 8 \S 4 ,S 5 )=0. Since H(S 7 \S A ,S 5 )=H(S 7 )-I(S 7 ;S A ,S 5 ) = 1, it follows that H(S 7 \S 8 ,S 4 ,S 5 ) = 
1. Then we have 

I(S 7 , S 8 ; S 4 , S 5 ) =I(S 8 ; S 4 , S 5 ) + I(S 7 ; S 4 , S 5 \S 8 ) 

(12) 

=I(S 8 ;S 4 ,S 5 ) + H(S 7 \S 8 )-H(S 7 \S 4 ,S 5 ,S 8 ) = + 1-1 = 0. 

So, I(S 7 ,S 8l X,K,S 4 ,S 5 ) = I(S 7 ,S 8 ;X,K\S 4 ,S 5 ) + I(S 7 ,S 8 ;S 4 ,S 5 ) = 0, and therefore H(S 7 ,S 8 \X)> 
H(S 7 ,S 8 \X,K,S 4 ,S 5 ) = 2, which contradicts the requirement that there is at most 1 unit of 
random key on the last layer. 

Case 2: signal 5 is not a function only of signals present at the source 
Case 2a: signal 1 has nonzero mutual information with some random key injected at node c. 
Then H(Si\X,K,S 2 ,S 3 ,S 4 ) >0. For brevity, let A=(S 2 ,S 3 ) and Y = (X,K,S 4 ). Since I(S 6 ;A) = 
and H(S 6 \S U A) = 0, we have H(A) + H(S 6 ) = H(A,S 6 )<H(A,S 1 ) = H(S 1 ) + H(A\S 1 ). Since 
H(S 6 ) = H(S 1 ), we have H(A) = H(A\S 1 ) and so H(S 1 \A) = H(S 1 ). Then from H(S 1 ,S 6 \A) = 
H(S 1 \A,S 6 )+H(S 6 \A)=H(S 6 \A,S 1 )+H(S 1 \A),vfc have #(Si|A,S 6 )=0. Since H(Si\A,Y,Se) < 
H(Si\A,S 6 )=0 and H(S 6 \A,Y,Si)<H(S 6 \A,Si)=0, from 

J(5 1 ;5 6 |F,A) = iJ(5 1 |An-^(5i|A^56) = ^(56|An-^(^|A^5i)>0 (13) 

we have H(S 6 \A,Y) = H(S 1 \A,Y)>0. Then since #(S 7 |S 2 ,S 4 ) = 0, we have H(S 6 \S 7 ,X)>0. 
Also, since H(S 7 \X) = 1, we have #(S 6 ,S 7 |X) > 1. 
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Case 2b: signal 1 has zero mutual information with any random key injected at node c. 
Then H(S 5 \X,K,Si,S 2 ,S4) >0. Similar reasoning as for case 2a applies with A=(S 1 ,S 4 ), Y = 
(X,K,S%), S 5 in place of Si, and S$ in place of S 6 . 

From Cases 1, 2a, and 2b, we conclude that the secrecy rate without knowledge of the 
wiretapping set by using any nonlinear or linear coding strategy is smaller than two obtained 
for the case where such knowledge is present at the source. 
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